Black Asylum

While performing vulnerability assessments/penetration tests, sometimes you will need to spoof a particular IP address or MAC to get past some ACL (firewall, etc…). While some tools have this ability built in, such as nmap, most other tools do not.

You could simply change your Ethernet card’s mac and IP address, but that can cause other issues, such as DOS-ing the real system due to IP and MAC conflicts on the network.

What I am looking for is a tool, something like proxychains, where I could use it to specify a fake (spoofed) IP address and/or MAC then command to run. Basically a tool that wraps all communication that some other command/tool issues.

SPOOF -ip=<ip> -mac=<mac> <command>

SPOOF -ip=10.1.1.10 -mac=00:11:22:33:44:55 telnet 10.1.1.11
SPOOF -ip=10.1.1.10 -mac=00:11:22:33:44:55 nessus -D

Any thoughts? Is there a tool already like this?

While performing a security audit/penetration test it can sometimes be hard to locate additional information and/or exploits for identified vulnerabilities. Actually it is not that hard to find some information, but to find all (or at least most) of the information you need, you typically have to check several different sites/sources. Some of the sources I usually check are:

• bugtraq
• cve
• nvd
• exploit-db
• osvdb
• metasploit
• the assessment tool used (nessus, nmap, nexpose, etc…)

Why do there have to be so many sites? I know that osvdb does a fairly good job of collecting a lot of the data, but it is not always up to date on the latest vulnerabilities. If I had to pick one site to use it would probably be osvdb at this point.

However I propose that a “Master Site” be created that aggregates data from all of the sources stated above (as well as possibly others) into one searchable site that cross references all of the other sources and provides data gathered/scrapped from the other sources as well as links to the original sources. Sort of a “Google” search engine for vulnerabilities and exploits.

Thoughts? Comments?

According to the website:

SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported.  SSLScan is designed to be easy, lean and fast.  The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.

SSLScan is a very useful tool to quickly determine the cipher suites support by one or more websites.  Below is a screenshot of the output of the command:

# sslscan –no-failed <target>.net:443

Download it from here, or if you are running from Debian or Ubuntu, you can simply issue the command:

# apt-get install sslscan

What is Maltego?  Well according to their website, it is:

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

What does that mean?

It means that Maltego is a commercial($) tool, that when provided a person’s name, email address, website, etc…, can quickly search for and identify related information from numerous sources on the Internet.

Maltego is particularly useful in scoping for a penetration test or social engineering engagement.  Using Maltego one can enumerate employee names, email addresses, phone numbers, postions, as well as alternate websites, dns entries, and so on.

Maltego comes with a number of built-in transforms.  A transform is a module which Maltego uses to perform a particular information search.  A varied collection of user created transforms can also be found and integrated with Maltego.